Stick And Network Signature Based Intrusion Detection
Steve Howard
April 11, 2001

Situation:

18 March, 2001 – "ZDNet News: Techology News Now". "The Internet crime division of the FBI issued a vaguely-worded warning last week about an alarming new tool soon to be available to computer criminals." "The tool—called ‘Stick’—essentially disarms intrusion detection systems, a crucial line of defense in the largest military and corporate computer systems."

With the attention crackers and script kiddies have been getting from many and varied news reports, and with stronger emphasis being put on securing networks and web sites against attack, corporate entities are now turning their focus on the necessity securing their internet and intranet exposure. As with any threat to the security of proprietary information, the integrity of a network, or the security of individual machines on that network, vendors, both established and some new, are offering numerous tools to help information security departments with the task of keeping their enterprise secure.

With the growth of intrusion detection tools and vendors we may have reached a point where information security departments are not staffed with enough qualified, or certified personnel to effectively detect and analyze what constitutes a bona fide attack. They rely instead on the alerting capabilities of the intrusion detection systems they’ve either bought or downloaded, and are implementing these systems without really knowing or understanding what it is that they’re trying to accomplish. "…script kiddies are operating security." Says Coretez Giovanni of Endeavor Systems explaining his tool, Stick. Stick creates a denial of service attack not on computer networks, but rather on "the human processes that support intrusion detection." That is, it floods the IDS with alarms to make analyzing what constitutes a real attack versus false positives very resource intensive. It also provides a means for an attacker to disguise or hide their attack within a flood of false alarms.

Denial of service attacks against ID systems is not new. In their paper "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" (1998) authors Thomas H. Ptacek and Timothy N. Newsham describe the possible ramifications of denial of service attacks on network intrusion detection systems. Most network based intrusion detection systems sit passively on the network in promiscuous mode where they can intercept packets as they are transmitted on the network. When a denial of service attack is launched against a network intrusion detection system, the system if it fails (due to exhausted CPU or memory resources), will usually fail-open. Meaning, it leaves the network in a state where it can be attacked further, and perhaps be compromised.

There are three areas of weakness I’d like to focus on that can make a tool like Stick part of a hacker’s kit. First are signature based intrusion detection systems, their strength and weaknesses. Secondly, speed and processing power requirements determining what a system can and cannot do, and lastly, the expertise and staffing requirements of information security departments.

Signature Based intrusion detection systems:

Signature base intrusion detection can reside on the network, or reside on a single host. Host signature based intrusion detection scans the information contained in log files and compares that information against the attack signatures contained in its database. As the information has already been written to the log files, host based signature scanning intrusion detection doesn’t work in real time. The advantage to having host based detection is that the attack can be looked at over a period of time which may give a better picture of how far an intruder has gotten into your system. The drawbacks of host based detection are: it is not real time, so the attack is already in progress or has already happened, and secondly, in a medium to large enterprise the managing of information from the many different hosts is formidable.

Network signature based intrusion detection does real-time scanning of headers in network packet as they come over the network and compares the information contained in the packet header to the attack signatures contained in the signature database. The advantage to a network based, signature scanning intrusion detection system is the immediacy of flagging suspected attacks with an alarm. A drawback, Mr. Giovanni points out, is each packet is individually scanned uniquely, regardless of other packets on the network. This means a packet can be specifically tailored to set off an alert without regard to the information contained in the immediate preceding or subsequent packets. The intrusion detection system cannot tell you if it is a valid attack.

This is the scenario Stick capitalizes on. Signature based intrusion detection usually use the IP packet header fields, the transport layer header fields, and the packet data payload for the most common signature attributes. If the trigger criteria of these attributes are known, then a packet can be made specifically to trigger that signature. However, in describing how his tool is designed, Mr. Giovanni comments: "If the tool was based on a set number of alarm patterns, it could be removed from the noise using trivial filters. So the tool needed to be based off the current signatures of an IDS in question and to be able to be upgraded without re-write to handle new configuration files when they are produced."

An IDS Mr. Giovanni experimented with was Snort, an open source, network signature or rules based intrusion detection system written by Martin Roesch. "The rule structure for an IDS can be seen as a language", says Mr. Giovanni "…I took advantage of this fact and wrote a compiler for the snort rules that would create a random packet generator…As an afterthoug [sic] I created a command line that assigned function pointers to randomization functions as to allow for random IP zones for targeting and spoofing."

Speed and processing power:

Networked signature based intrusion detection systems, similar to virus scanning software, compares data in the packet headers with known attack signatures stored in a signature database. There is no attempt however, to check the validity of the attack by determining the state of the packet being examined, the packet preceding it, or the packet following it. In some intrusion detection system products certain assumptions are made about the state of the packets when an alarm is triggered, such as a proper handshake between host and client prior to the arrival of the packet. This opens up the opportunity for a packet to be crafted, with no required handshake, to specifically trigger a false alarm, or with Stick, to flood the network with generated packets triggering hundreds or thousands of false alarms.

To be able to determine the state of a packet and make better determinations on the validity of an attack, an ID system would have to keep the state of not only the packet it is currently scanning, but also n number of packets preceding it and m number of packets following it. This, of course will entail more CPU cycles and memory as it compares multiple packet headers with attack signatures.

Additionally, recording the information about what exactly is taking place on a network, through network IDS, preceding and during an attack is at a fairly minimal state currently. Vendors are concerned IO time and disk access times will slow down their product’s performance to the point it may not compete favorably with a competitor’s product.

The trade-off then is less CPU and memory intensive as the intrusion detection system looks at each packet as individual and unique, but the validity of the attack becomes questionable, the amount of information about the attack decreases, or the number of false positives increases.

Information Security staffing and alert handling:

I don’t presume to speak for all corporations that staff information security departments, but I am curious about the staffing practices of many small to mid sized companies. I would like to explore the possibility that perhaps there may be only enough qualified security people on any particular site to determine, through analysis, whether an IDS alarm triggered in normal network traffic flow is indicative of an attacker, and if so, how to respond to that attack. There may also be additional employees to provide help if the alarm load increases above normal, however, they generally will not have the expertise in sorting through the alarms and additional logging to determine what is and is not an attack.

If the premise is correct that many companies will only staff to some arbitrary level of possible attacks or alarms per day, a Stick user could attack this site, flooding their intrusion detection system with alarms far past the point of being able to determine whether or not someone has actually compromised their system. If the intrusion detection system cannot handle the number of alerts due to CPU usage or disk space being filled by log files, packets will get dropped, or worse, the intrusion detection system will fail-on allowing access to the network.

Getting to the point:

While Stick in its current form is a means to set bells ringing in network signature base intrusion detection systems, it is adding another tool to an intruders carpet bag, and reinforcing another facet of attack methods. An intruder who is aware that intrusion detection has been deployed on a network will, if they are smart, attack the intrusion detection first to disable the system or make the system provide false information. By making the intrusion detection system provide false information the attacker can cause a distraction on one part of the network while she attacks another network segment. Although a little extreme, the attacker may also be able to frame someone in the attacked organization by spoofing their IP address.

Network signature based intrusion detection systems, even with their vulnerabilities, are a necessary component of an overall protection strategy. What designers of the software components in IDS need to take into consideration is intruders are going to try to invalidate the effectiveness of the system. Attackers will try to compromise the confidence factor, i.e. the faith in the system working correctly, by creating excessive false positives, or even excessive false negatives, e.g. an intruder passing the ID system undetected. Developers working on these products have to understand not only will the networks they are building intrusion detection systems for come under attack, but the network ID systems they are developing will often become the target of attack as well. This means they will have to understand the specific means by which their products can be attacked.

Unfortunately, denial of service attacks against network ID systems, and resource consumption are very hard to defend against. Attacks that cause the intrusion detection system to crash can be defended against on an individual basis using patches, but finding all the potential vulnerabilities will be a daunting task.

Bibliography:

ICSA labs. "Technology Overview".
URL: http://www.icsalabs.com/html/communities/ids/buyers_guide/guide/Technology/technology.shtml